CVE-2026-43983 HIGH

CVE-2026-43983: Pocket ID: OIDC refresh token flow bypasses authorization revocation, account disabling, and group restrictions

Vendor Pocket-Id

Product pocket-id

Weakness CWE-285

Published May 12, 2026

Last update May 13, 2026

View on NVD All CVEs

CVSS base score

8.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.6.0, The createTokenFromRefreshToken function (oidc_service.go) validates the refresh token's cryptographic integrity but does not re-validate the user's current authorization state before issuing new tokens. This allows (1) the client to refresh the token indefinitely after authorization revocation, (2) the refresh token to continue to work after the account is disabled, and (3) the token to work after the client is removed from the group. This vulnerability is fixed in 2.6.0.

Key dates

02Disclosure timeline

May 12, 2026 CVE published

May 13, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-43983

Related vulnerabilities

CVE-2026-43983: Pocket ID: OIDC refresh token flow bypasses authorization revocation, account disabling, and group restrictions

01Description

02Disclosure timeline

03References

04Related CVE